Solved: Re: Cisco 3560-CX cant ping between VLANS

kingsley123 · ‎08-11-2020

I am just running up a new 3560-CX lab switch to play with and having some issues.

Scenario:

- VLAN 10 clients cant ping VLAN 20 clients and vise versa.

- Both clients can be pinged from switch (confirming its not windows firewall)

- Both clients can ping both VLAN 10 and VLAN 20 SVIs from the command prompt.

- Clients have correct SM and default gateways configured of the relevant Switch SVI

-IP routing enabled

Switch is brand new, configured out of the box with the below config. Thoughts on what I am missing? Is there something specific to the CX platform that differs from the older router/switches?

TEST_SW#sh run
Building configuration...

Current configuration : 1935 bytes
!
! Last configuration change at 06:16:23 UTC Wed Aug 12 2020
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST_SW
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxxxxxxxx
!
username admin privilege 15 password 7 xxxxxxxxx
username test password 7 xxxxxxxx
no aaa new-model
switch 1 provision ws-c3560cx-12pd-s
system mtu routing 1500
!
!
!
!
ip routing
no ip cef optimize neighbor resolution
!
!
!
vtp mode transparent
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
vlan 10
name TEST_VLAN1
!
vlan 20
name vlan20
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 10
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
ip forward-protocol nd
!
!
ip http server
ip http secure-server
!
!
!
!
!
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
ntp server 34.202.215.187
!
end

TEST_SW#
TEST_SW#
TEST_SW#
TEST_SW#ping 192.168.10.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
TEST_SW#ping 192.168.20.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms

TEST_SW#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan10
L 192.168.10.1/32 is directly connected, Vlan10
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan20
L 192.168.20.1/32 is directly connected, Vlan20
TEST_SW#

kingsley123 · ‎08-12-2020

Ok sorted now.

I Couldnt turn off windows firewall completely on corporate machines so had to put File and Print sharing ICMP exceptions in there which normally works. As the network was completely segregated and had no internet connection the network was not identified as public/private/domain and were "unidentified" so the firewall policy didn't seem to have any effect.

Ran up two fresh build test laptops, turned off windows firewall altogether and works now.

View solution in original post

Georg Pauwen · ‎08-12-2020

Hello,

which template are you running (sh sdm prefer) ?

kingsley123 · ‎08-12-2020

Template is default:

TEST_SW#sh sdm prefer
The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 16K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 5K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 1K
number of IPv6 multicast groups: 1K
number of IPv6 unicast routes: 5K
number of directly-connected IPv6 addresses: 4K
number of indirect IPv6 unicast routes: 1K
number of IPv4 policy based routing aces: 0.25K
number of IPv4/MAC qos aces: 0.375k
number of IPv4/MAC security aces: 0.375k
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.25K
number of IPv6 security aces: 0.375k

Georg Pauwen · ‎08-12-2020

Hello,

for the sake of testing, can you install the lanbase-routing template ?

TEST_SW(config)# sdm prefer lanbase-routing

kingsley123 · ‎08-12-2020

That option isnt available:

TEST_SW(config)#sdm prefer ?
default Default bias

TEST_SW(config)#sdm prefer

Georg Pauwen · ‎08-12-2020

Hello,

never mind, the default template should work fine anyway...

You could try and reset the switch to factory defaults...

https://fatmin.com/2015/09/29/how-to-reset-cisco-catalyst-3560-back-to-factory-defaults/#:~:text=First%20you%20need%20to%20power,switch%20prompt%20as%20shown%20below.

vb10 · ‎08-12-2020

Hello,

I can suggest additional tests:

1. Try to ping each client from switch, but with source interface of different SVI:

- ping 192.168.20.40 source vlan 10

- ping 192.168.10.40 source vlan 20

2. If it doesn't work, then it might be the problem on PC (Firewall might allow only local subnet traffic)

3. If it works, then it's not PC issue. You need to figure out where exactly traffic is dropped:

a) it looks like test setup with no too much traffic, so you can try to debug traffic based on ACL

b) use SPAN with capture to see, whether traffic is forwarded on switch toward other VLAN.

kingsley123 · ‎08-12-2020

Ok sorted now.

I Couldnt turn off windows firewall completely on corporate machines so had to put File and Print sharing ICMP exceptions in there which normally works. As the network was completely segregated and had no internet connection the network was not identified as public/private/domain and were "unidentified" so the firewall policy didn't seem to have any effect.

Ran up two fresh build test laptops, turned off windows firewall altogether and works now.